Improve FDM/cred theft detection

2025-02-16 17:37:06 +00:00 · 2023-09-20 08:03:25 -04:00 · 2023-09-20 08:03:25 -04:00 · 4e820ae59e
commit 4e820ae59e
parent ddb37c066a
2 changed files with 22 additions and 4 deletions
--- a/detection/execution/exotic-command-events-linux.sql
+++ b/detection/execution/exotic-command-events-linux.sql
@ -9,7 +9,8 @@
 -- tags: transient process events
 -- platform: linux
 -- interval: 300
-SELECT -- Child
+SELECT
+  -- Child
  pe.path AS p0_path,
  pe.time AS p0_time,
  REGEX_MATCH (pe.path, '.*/(.*)', 1) AS p0_name,
@ -119,6 +120,13 @@ WHERE
    OR p0_cmd LIKE '%ld.so.preload%'
    OR p0_cmd LIKE '%urllib.urlopen%'
    OR p0_cmd LIKE '%nohup%tmp%'
+    OR p0.cmdline LIKE '%.ssh/%'
+    OR p0.cmdline LIKE '%tar%.local/share%'
+    OR p0.cmdline LIKE '%.config%gcloud%'
+    OR p0.cmdline LIKE '%.aws/%'
+    OR p0.cmdline LIKE '%.mozilla%firefox%'
+    OR p0.cmdline LIKE '%.config/%chrome%'
+    OR p0.cmdline LIKE '%tar%.config%'
    OR p0_cmd LIKE '%systemctl stop firewalld%'
    OR p0_cmd LIKE '%systemctl disable firewalld%'
    OR p0_cmd LIKE '%pkill -f%'
@ -202,4 +210,4 @@ WHERE
    'bash,500,ninja,bash',
    'ls,500,zsh,alacritty',
    'bash,0,bash,containerd-shim-runc-v2'
-  )
+  )
--- a/detection/execution/exotic-commands-linux.sql
+++ b/detection/execution/exotic-commands-linux.sql
@ -41,7 +41,8 @@ FROM
  LEFT JOIN hash p1_hash ON p1.path = p1_hash.path
  LEFT JOIN processes p2 ON p1.parent = p2.pid
  LEFT JOIN hash p2_hash ON p2.path = p2_hash.path
-WHERE -- Known attack scripts
+WHERE
+  -- Known attack scripts
  (
    p0.name IN (
      'bitspin',
@ -79,6 +80,8 @@ WHERE -- Known attack scripts
    OR p0.cmdline LIKE '%lushput%'
    OR p0.cmdline LIKE '%incbit%'
    OR p0.cmdline LIKE '%traitor%'
+    OR p0.cmdline LIKE '%ethereum%'
+    OR p0.cmdline LIKE '%electrum%'
    OR p0.cmdline LIKE '%msfvenom%' -- Unusual behaviors
    OR p0.cmdline LIKE '%ufw disable%'
    OR p0.cmdline LIKE '%dd if=/dev/%'
@ -87,6 +90,13 @@ WHERE -- Known attack scripts
    OR p0.cmdline LIKE '%chattr -ia%'
    OR p0.cmdline LIKE '%chflags uchg%'
    OR p0.cmdline LIKE '%bpftool%'
+    OR p0.cmdline LIKE '%.ssh/%'
+    OR p0.cmdline LIKE '%tar%.local/share%'
+    OR p0.cmdline LIKE '%.config%gcloud%'
+    OR p0.cmdline LIKE '%.mozilla%firefox%'
+    OR p0.cmdline LIKE '%.aws/%'
+    OR p0.cmdline LIKE '%.config/%chrome%'
+    OR p0.cmdline LIKE '%tar%.config%'
    OR p0.cmdline LIKE '%touch%acmr%'
    OR p0.cmdline LIKE '%ld.so.preload%'
    OR p0.cmdline LIKE '%urllib.urlopen%'
@ -133,4 +143,4 @@ WHERE -- Known attack scripts
  )
  AND NOT p0.cmdline like '%socat UNIX-LISTEN:%com.discordapp%discord-ipc%'
  AND NOT p0.cmdline IN ('nc 127.0.0.1 5900')
-  AND NOT p0.name IN ('cc1', 'compile', 'cmake', 'cc1plus')
+  AND NOT p0.name IN ('cc1', 'compile', 'cmake', 'cc1plus')